Skip to main content

Skillber v1.0 is here!

Learn more

IAM/PAM Architectures

Checking access...

Choosing the right IAM/PAM architecture is one of the most consequential decisions in an identity program. The architecture determines scalability, resilience, operational complexity, and the organisation’s ability to adapt to changing requirements.

Architecture Patterns Overview

PatternBest ForComplexityScalabilitySecurity
Hub-and-SpokeCentralised control, regulated industriesMediumGoodStrong
Cloud-HybridCloud migration, multi-cloudHighExcellentStrong
Microservices/API-FirstCloud-native, SaaS providersHighExcellentVery Strong
Zero TrustHigh-security, remote-firstHighGoodStrongest

Hub-and-Spoke Architecture

Structure

A central IAM/PAM platform (hub) connects to multiple target systems (spokes). The hub centralises policy management, identity provisioning, credential vaulting, and session management while enforcement occurs at the spoke level.

┌──────────────────────────────────────────────────────────────┐
│ HUB (Central) │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ IGA Engine │ │ PAM Vault │ │ IdP/SSO │ │
│ │ Policy Mgt │ │ Session Mgt │ │ MFA │ │
│ │ Certificat.│ │ Cred Vault │ │ Token Svc │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
└─────────┼────────────────┼────────────────┼──────────────────┘
│ │ │
┌────┴────┐ ┌────┴────┐ ┌────┴────┐
│ Spoke 1 │ │ Spoke 2 │ │ Spoke 3 │
│ (Prod) │ │ (Dev) │ │ (DR) │
└─────────┘ └─────────┘ └─────────┘

When to Use

CriteriaRecommendation
Number of target systems50+ (the hub reduces per-system management complexity)
Geographic distributionMultiple regions (hub in each region with central management)
Regulatory requirementsData residency, audit trail centralisation
Existing directory infrastructureCentralised AD or LDAP deployment
Operational modelCentralised IAM team with local IT support

Advantages and Challenges

AspectAdvantageChallenge
Policy managementSingle point for policy definition and distributionSpoke-specific policy exceptions add complexity
Audit and reportingCentralised audit trail across all spoke systemsHigh-volume log centralisation requires bandwidth
User experienceConsistent authentication across spokesHub becomes a single point of failure
Operational costLower per-system management costHub infrastructure cost is concentrated

Cloud-Hybrid Architecture

Structure

Bridges on-premises and cloud resources with a cloud IdP as the authoritative identity source and on-premises directories synchronised to the cloud.

┌──────────────────────┐ ┌─────────────────────────┐
│ ON-PREMISES │ │ CLOUD │
│ │ │ │
│ ┌─────────────────┐ │ │ ┌───────────────────┐ │
│ │ Active Directory│─┼─────┼─>│ Cloud IdP │ │
│ │ (Authoritative) │ │ Sync│ │ (Okta/Azure/One) │ │
│ └─────────────────┘ │ │ └────────┬──────────┘ │
│ │ │ │ │
│ ┌─────────────────┐ │ │ ┌────────┴──────────┐ │
│ │ On-prem PAM │ │ │ │ Cloud PAM │ │
│ │ (Servers/Apps) │─┼─────┼─>│ (Cloud Consoles) │ │
│ └─────────────────┘ │ │ └───────────────────┘ │
│ │ │ │
│ ┌─────────────────┐ │ │ ┌───────────────────┐ │
│ │ On-prem Apps │─┼─────┼─>│ SaaS Apps │ │
│ │ (SAML/OIDC) │ │ │ │ (via IdP Proxy) │ │
│ └─────────────────┘ │ │ └───────────────────┘ │
└──────────────────────┘ └─────────────────────────┘

Directory Synchronisation Strategy

ApproachLatencyComplexityUse Case
Real-time sync (SCIM)SecondsMediumCloud IdP as primary directory
Near-real-time (Delta sync)MinutesLowAD Connect, Okera LDAP Agent
Batch sync (Daily)HoursVery LowNon-critical identity data
Event-driven (HRIS trigger)MinutesMediumHRIS attribute changes

When to Use

CriteriaRecommendation
SaaS adoption30%+ SaaS applications (cloud IdP for SSO)
Cloud infrastructureMulti-cloud or significant cloud native workload
On-premises investmentSignificant AD/LDAP infrastructure already deployed
Hybrid workforceMix of on-prem and remote users
Merger/AcquisitionBridge between different identity domains

Microservices / API-First Architecture

Structure

For cloud-native environments, IAM/PAM capabilities are delivered as APIs and services rather than monolithic platforms:

┌──────────────────────────────────────────────────────────────┐
│ API GATEWAY │
│ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │Auth N │ │Token │ │Policy │ │User │ │Audit │ │
│ │Service │ │Service │ │Engine │ │Service │ │Service │ │
│ └────────┘ └────────┘ └────────┘ └────────┘ └────────┘ │
│ │ │ │ │ │ │
└────────┼──────────┼──────────┼──────────┼──────────┼─────────┘
│ │ │ │ │
┌────┴────┐ ┌───┴───┐ ┌───┴───┐ ┌───┴───┐ ┌───┴───┐
│Microsvc │ │ Micro │ │ Micro │ │ Micro │ │ Micro │
│ A │ │ svc B│ │ svc C│ │ svc D│ │ svc E│
└─────────┘ └───────┘ └───────┘ └───────┘ └───────┘

Key Design Principles

PrincipleImplementation
API-firstAll IAM capabilities exposed as REST/HTTP APIs
StatelessAuthentication state in tokens (JWTs), not server sessions
Policy-as-codeAuthorisation policies in OPA/Cedar, version-controlled
Decentralised enforcementEach service enforces its own authorisation decisions
Centralised managementPolicy management, auditing, and reporting are centralised
Workload identityService-to-service authentication via SPIFFE/SPIRE or OAuth client credentials
Zero standing privilegesJIT credential delivery for service accounts

Zero Trust Architecture

Core Principles Applied to IAM

Zero Trust PrincipleIAM Implementation
Verify explicitlyAuthenticate and authorise every access request regardless of source
Least privilegeJIT access, just-enough-admin, granular RBAC/ABAC
Assume breachContinuous verification, session monitoring, credential rotation
Micro-segmentationNetwork segmentation enforced through identity-aware policies
Continuous validationReal-time risk scoring, session timeout enforcement, device posture check

Zero Trust IAM Architecture

User Request ──> Identity Verification ──> Device Posture Check ──> Context Evaluation
│ │ │ │
│ ┌────────┴────────┐ ┌────────┴────────┐ ┌──────┴──────┐
│ │ IdP: MFA │ │ MDM: OS version │ │ Location │
│ │ Risk scoring │ │ Patch level │ │ Time │
│ │ Device identity │ │ Disk encryption │ │ Sensitivity │
│ └─────────────────┘ └─────────────────┘ │ Risk level │
│ └──────┬──────┘
│ │
└─────────────────────────────┬────────────────────────────────────┘
v
┌─────────────────────┐
│ Policy Decision │
│ (Allow/Deny/Step-up)│
└─────────────────────┘
Allow ────┴──── Deny
│ │
v v
Access Granted Access Denied
(JIT ticket) (Audit logged)

Architecture Decision Framework

Decision Criteria

FactorWeightHub-SpokeCloud-HybridMicroservicesZero Trust
Number of systemsHigh50+ systems100+ systems100+ microservicesAny scale
Cloud adoptionHighLow-MediumMedium-HighHighMedium-High
Security requirementsHighStrongStrongVery StrongStrongest
Operational maturityMediumMediumMedium-HighHighHigh
Regulatory requirementsHighStrong fitGood fitChallengingStrong fit
Existing investmentHighOn-prem AD/IGAHybrid infraCloud-nativeNew deployment

Architecture Selection Matrix

Your SituationRecommended Architecture
On-premises, regulated industry, 50+ appsHub-and-Spoke
Mixed on-prem/cloud, 30%+ SaaSCloud-Hybrid
Cloud-native, microservices, high scaleMicroservices/API-First
High security, remote workforce, zero trust mandateZero Trust
Post-merger, multiple identity domainsCloud-Hybrid with IdP Bridging
Small organisation (< 500 users)Cloud-Hybrid (SaaS IGA/PAM)

Key Takeaways

  • Four primary IAM/PAM architecture patterns exist: hub-and-spoke (centralised control), cloud-hybrid (bridging on-prem and cloud), microservices/API-first (cloud-native), and zero trust (no implicit trust)
  • Hub-and-spoke centralises policy management and audit in a single platform but creates a potential single point of failure — best for regulated industries with 50+ on-premises systems
  • Cloud-hybrid architecture uses directory synchronisation (SCIM, delta sync, batch) to bridge on-prem AD/LDAP with cloud IdP — ideal for hybrid infrastructure with significant SaaS adoption
  • Microservices/API-first architecture applies API-first, stateless, policy-as-code, and decentralised enforcement principles — designed for cloud-native environments at scale
  • Zero trust architecture applies five principles (verify explicitly, least privilege, assume breach, micro-segmentation, continuous validation) — every access request is fully authenticated, authorised, and risk-evaluated regardless of network location
  • The architecture decision framework considers number of systems, cloud adoption, security requirements, operational maturity, regulatory requirements, and existing investment to select the optimal pattern
  • Architecture maturity is not binary — most organisations evolve through stages: ad hoc → centralised → standardised → automated → adaptive, and the architecture pattern may change at each stage